CVE-2022-1043: 
CBL Mariner vulnerability analysis and mitigation

A flaw was discovered in the Linux kernel's io_uring implementation (CVE-2022-1043) that allows an attacker with a local account to corrupt system memory, crash the system, or escalate privileges. The vulnerability was reported on August 20, 2021, and was publicly disclosed on February 16, 2022. The issue affects Linux kernel versions from 5.1 up to 5.14-rc7 (ZDI Advisory, NVD).

The vulnerability exists in the handling of credentials in io_uring implementation. The specific flaw stems from the lack of validation for object existence prior to performing operations on the object. The issue was assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating local access requirements with low attack complexity. The vulnerability is classified as a Use-After-Free (CWE-416) issue (ZDI Advisory, NVD).

The vulnerability can lead to system memory corruption, system crashes, or privilege escalation allowing attackers to execute arbitrary code in the context of the kernel. This gives an attacker with a local account the ability to gain root privileges on the affected system (NVD, ZDI Advisory).

The vulnerability was fixed in Linux kernel version 5.14-rc7 through a patch that corrects the xaalloccycle() error return value check. The fix involves properly validating return values to prevent the use-after-free condition. Users are advised to upgrade to a patched kernel version to mitigate this vulnerability (GitHub Commit).